More Related Content Similar to How to Build a Successful Cybersecurity Program? (20) How to Build a Successful Cybersecurity Program?1. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 1
Mark Chaplin
Information Security Forum
2. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 2
Agenda
1. About the Information Security Forum
2. Context – Business operations
3. Drivers for cyber security
4. Cyber threat landscape
5. Cyber security challenges
6. The role of cyber risk management
7. Cyber security programme – Key ingredients
8. Building a cyber security programme
9. Remaining business and risk focused
10. Getting started – 5 takeaways
3. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 3
We are an international association of over 480 leading global organisations
(Fortune 500/Forbes 2000), which...
• addresses key issues in information risk management through research and collaboration
• develops practical tools and guidance
• remains a fully independent, not-for-profit organisation driven by its Members
• promotes networking within its Membership.
Our Members include over 99 international banks and financial institutions
T H E L E A D I N G G L O B A L A U T H O R I T Y O N C Y B E R S E C U R I T Y
A N D I N F O R M AT I O N R I S K M A N A G E M E N T
About the Information Security Forum (ISF)
4. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 4
ISF services help business leaders and information security
practitioners to address business issues across the enterprise
What are the issues faced by:
• Board Members
• Chief Information Security Officers
• Information Security Managers
• Business Managers
• IT Managers and Technical Staff
• Internal and External Auditors
• IT Service Providers
• Procurement and Vendor Management Teams
• Understanding cyber risk as a key component of the business
strategy
• Mounting volumes of critical and sensitive information
• Increasing economic, legal and regulatory pressures
• Greater focus on privacy and data protection
• Increased dependency on the supply chain
• Need to be agile and competitive
• Changing culture of end users
• Increased use of diverse technology
• Business impact of incidents
• Emerging and changing threats
• Globalisation and cyber security
5. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 5
Context – Business operations
• Strategy
• Commerce
• Products and services
• Supply chain
• Workforce
• Location and premises
• Power and telecommunications
6. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 6
Drivers – Board expectations
1. Preparedness for a crisis
2. Situational awareness
3. Basic cyber protection measures
4. Resilience
5. Proven and effective risk
management
6. Good practice in security
governance
7. Assurance
8. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 8
Technology
• Legacy to emerging
• Information technology to operational technology
• Cloud / Virtualisation
• Artificial intelligence / Quantum computing
• Blockchain / Internet of Things
Every second
• 4,193 Skype calls
• 81GB of Internet traffic
• 78,000 Google searches
• 81,000 YouTube videos viewed
• 2,851,735 emails sent
Drivers - Information and technology
https://www.internetlivestats.com
9. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 9
The Wall Street Journal, The Guardian Weekly, China Daily, The Straits Times, UCL European Institute, The Washington Post
Drivers - Information and technology
10. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 10
Cyber threat landscape
www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
2009 2019
11. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 11
World’s Biggest Data Breaches & Hacks
InformationIsBeautiful.net using data from Identity Theft Resource Center and DataBreaches.net
12. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 12
Cyber threat landscape
New York Times, Wired Magazine, Reuters, Foreignpolicy.com, BBC, The Independent, The Telegraph, The Washington Post, The Huffington Post, The Guardian Nigeria, Arab News, Energy Voice
13. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 13
Profit-driven attacks
FT, BBC, Wired Magazine, Forbes Magazine, Reuters, ICO, Identity Theft Resource Center, Privacy Rights Clearinghouse and Hackmageddon.com
14. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 14
Major financially-motivated breaches
Privacy Rights Clearinghouse Data Breaches
15. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 15
Tangible loss from cyber attacks
FT, BBC, Wired Magazine, Forbes Magazine, Reuters, ICO, Identity Theft Resource Center, Privacy Rights Clearinghouse and Hackmageddon.com
16. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 16
Cyber security challenges
• Poor terminology
• Insufficient quality/validate
risk data
• Focus on assessment not
management
• Lack of integration with
business risk management
• Inadequate tooling
• Difficulties interpreting
data, communicating risk
and making key business
decisions
• Measurement of the wrong
data points
• Limited to no assurance of
risk management
17. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 17
• Reduce uncertainty
• Quantify risk in terms of
clear probability and
magnitude
• Inform decision making
• Prioritise actions
• Improve/direct spending
• Manage expectations
• Prevent bad things from
happening
• Achieve perfect (100%) security
• Reduce loss to zero
• Demonstrate compliance
• Support a subjective need
• Make people feel comfortable
• Identify scapegoats
The role of cyber risk management
18. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 18
Cyber risk management objectives
1. Reduce the frequency of
successful cyber threat events
2. Reduce the financial loss of
cyber loss events
19. ©2018 Information Security Forum Limited
How to Build a Successful Cyber Security Program 19
Cyber security programme – Key ingredients
• Governance
• Management
• Methodology
• Architecture / Control framework
• Tooling
• Measurement and analysis
• Visualisation / Communication
• Decision support and action
• Assurance and improvement
• Supply chain
• Resilience
• Asset management
• Business process mapping
• Event management and metrics
• Threat and vulnerability
management
• Audit/assessments
• Incident management
20. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 20
Benefits of applying a business and risk-based
approach
1. More consistent use of risk management language with key decision-makers
2. Greater understanding of the threat landscape and corresponding losses
3. Justified confidence in the adequacy of the methodology
4. Effective use of risk appetite (aversion / tolerance)
5. Integration with broader risk management disciplines and practices
6. Continuous evaluation and improvement
7. Target spending, reduce exposure and minimise waste
8. Improve decision-making with cost-benefit analysis
9. Reduce subjectivity and increase objectivity
10. Accurately measure, aggregate and quantify cyber risk
21. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 21
Remaining business and risk focused
Objectives
Approach
Purpose
People
Activity
Communication
Measurement
CEO and
Leadership Team
CISO and
Security Function
22. ©2019 Information Security Forum Limited
How to Build a Successful Cyber Security Program 22
Getting started – 5 take-aways
1. Test and update cyber incident / crisis management capabilities
2. Improve basic cyber protection
3. Establish cyber situational awareness
4. Focus on reducing the frequency of adverse cyber events and
the subsequent financial loss, when they occur
5. Provide continuous assurance of cyber risk mitigation
24. ISO/IEC 27032
Training Courses
• ISO/IEC 27032 Introduction
1 Day Course
• ISO/IEC 27032 Foundation
2 Days Course
• ISO/IEC 27032 Lead Cybersecurity
Manager
5 Days Course
Exam and certification fees are included in the training price.
www.pecb.com/en/education-and-certification-for-individuals/iso-iec-
27032
www.pecb.com/events